unit 9.1: republic act 10173 article I-VII

Data Privacy Act of 2012

RA 10173

• Protect the fundamental human right of privacy, of communication while ensuring free flow of information
• Vital role of information and communications technology in nation-building
• To ensure that personal information are secured and protected.

Section 2. Declaration of Policy

National Privacy Commission

Section 3. Definition of Terms

Commission

Data subject

Section 3. Definition of Terms

individual whose personal information is being processed

Personal information

Section 3. Definition of Terms

any info whether recorded in material form or not, from which the identity of an individual is apparent

Personal information controller

Section 3. Definition of Terms

person or organization who controls the collection, holding, processing or use of personal information

Processing

Section 3. Definition of Terms

any operation or any set of operations performed upon personal information

government institution

Section 4. Scope - Does not apply

• any individual who is or was an officer or employee
• performing service under contract

discretionary benefit

Section 4. Scope - Does not apply

• a financial nature

public authority

Section 4. Scope - Does not apply

• Information necessary in order to carry out the functions of ___

financial institutions

Section 4. Scope - Does not apply

• Information necessary for banks and other ___

residents of foreign jurisdictions

Section 4. Scope - Does not apply

• Personal information originally collected from ___

Republic Act No. 53

Section 5. Protection Afforded to Journalists & Sources

publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication

Extraterritorial Application

Section 6.

Personal information about a Philippine citizen or a resident

Compliance

Section 7. Functions of the National Privacy Commission

1. ___ of personal information controllers

Complaints

Section 7. Functions of the National Privacy Commission

2. Receive ___, institute investigations, facilitate or enable settlement, prepare reports on disposition, and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report

modification of privacy codes

Section 7. Functions of the National Privacy Commission

3. Review, approve, reject or require ___ voluntarily adhered to by personal information controllers

Provide assistance

Section 7. Functions of the National Privacy Commission

4. ___ on matters relating to privacy or data protection

implication on data privacy

Section 7. Functions of the National Privacy Commission

5. Comment on the ___ of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions

Propose legislation, amendments or modifications

Section 7. Functions of the National Privacy Commission

6. ___ to Philippine laws

data privacy regulators in other countries

Section 7. Functions of the National Privacy Commission

7. Ensure proper and effective coordination with ___ and private accountability agents, participate in international and regional initiatives for data privacy protection

cross-border application and implementation of respective privacy laws

Section 7. Functions of the National Privacy Commission

8. Negotiate and contract with other data privacy authorities of other countries for ___

foreign privacy

Section 7. Functions of the National Privacy Commission

9. Assist Philippine companies doing business abroad to respond to ___ or data protection laws and regulations

cross-border enforcement

Section 7. Functions of the National Privacy Commission

10. Generally perform such acts as may be necessary to facilitate ___ of data privacy protection

Confidentiality

Section 8.

Privacy Commissioner: Raymund Enriquez Liboro

Section 9. Organizational Structure of the Commission

• must be at least thirty-five years of age
• good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy

Deputy Privacy Commissioner: Leandro Angelo Aguirre & John Henry Naga

Section 9. Organizational Structure of the Commission

• recognized experts in the field of information and communications technology and data privacy

3 years, additional 3 years reappointment (3-6 years)

Section 9. Organizational Structure of the Commission

Term

5 years:

• Social Security System (SSS)
• Government Service Insurance System (GSIS)
• Land Transpo Office (LTO)
• Bureau of Internal Revenue (BIR)
• PhilHealth
• COMELEC
• Dep of Foreign Affairs (DFA)
• Dep of Justice (DOJ)
• PH Postal Corp. (Philpost)

Section 10. Secretariat

must have served ___ in any of the ff government agencies

General Data Privacy Principles

Section 11.

Criteria for Lawful Processing of Personal Info

Section 12.

Sensitive Personal Info & Privileged Info

Section 13.

Subcontract of Personal Info

Section 14.

Extension of Privileged Communication

Section 15.

Rights of Data Subject

Section 16.

Transmissibility of Rights of Data Subject

Section 17.

Lawful heirs

Right to Data Portability

Section 18.

Electronic means and in a structured and commonly used format

Scientific and statistical research

Section 19. Non-Applicability

protection of personal information

Section 20. Security of Personal Info

• controller must implement reasonable and appropriate organizational, physical and technical measures intended for the ___

natural dangers

Section 20. Security of Personal Info

• controller shall implement reasonable and appropriate measures to protect personal information against ___

nature of the personal information

Section 20. Security of Personal Info

• determination of appropriate level of security measures take into account ___

third parties

Section 20. Security of Personal Info

• controller must further ensure that ___ processing personal information on its behalf shall implement the security measures

strict confidentiality

Section 20. Security of Personal Info

• employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under ___

identity fraud

Section 20. Security of Personal Info

• controller shall promptly notify the Commission and affected data subjects when sensitive personal information may be used to enable ___

Principle of Accountability

Section 21.

Responsibility of Heads of Agencies

Section 22.

On-site and Online Access

Section 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Info

• unless the employee has received a security clearance from the head of the source agency

Off-site Access

Section 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Info

• unless the head of the agency has ensured the implementation of privacy, policies, and appropriate security measures

2 business days

Section 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Info - Off-site Access

• In the case of any request submitted to the head of an agency, the head of the agency shall approve or disapprove the request within ___

not more than 1000 records

Section 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Info - Off-site Access

• If a request is approved

Encryption

Section 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Info - Off-site Access

• for purposes of off-site access shall be secured by the use of ___

Applicability to Government Contractors

Section 24.

• In entering into any contract that may involve accessing or requiring sensitive personal information from one thousand (1,000) or more individuals, an agency shall require a contractor and its employees to register their personal information processing system